Over the last few months, we have explored data collection practices across a variety of personal domains through a series of articles. In doing so, we’ve strived to provide readers with an overview of some of the ways personal data is generated, collected, and used that may have an impact on their daily lives. Through this process, we’ve learned that personal data is being collected from individuals while they sleep, from the apps on their phone; while they travel to work, school, or the store, regardless of the method of transportation they use; and while they grocery shop, using Bluetooth beacons to identify what items an individual might be purchasing. This series was not intended to be exhaustive, and serves only as a starting point for further research into data collection in Canada.

From the start, it was clear that personal data collection practices are pervasive throughout our society. In exploring personal data collection practices, we have illustrated that there is no single entity collecting personal data. We’ve found that personal data collection practices are being executed ubiquitously by a multitude of actors. Sometimes, this results in competition for the same kind of data, such as in the case of Uber and Lyft. However, acquisitions, such as that of Fitbit by Google, are creating more concerted and complementary approaches to data gathering, sharing, and use.

This final article summarizes what we currently know about public perceptions related to personal data collection, data activism efforts and tools, and current legislation and policy, and highlights the next steps we at BII+E would like to take.

Share

"While we have a high level understanding of public perceptions towards privacy, we lack a detailed, contextual insight into how people feel when they are made aware of the kind of data that is being collected from them."

Public Perceptions

International exposure and the publicity of large-scale data collection in the United States by Edward Snowden,[1] as well as various high-profile data breaches, including LifeLabs,[2] Equifax,[3] Caisse Dejardins,[4] Yahoo,[5] Cambridge Analytica,[6] and Facebook,[7] have created more public awareness and discussion of data collection activities.

Canadians want more transparency in how their data is being collected and how it is being used. In a 2017 study by CanadaNext,[8] 69 per cent of Canadians reported that when thinking about future technological advances, they are “very worried about privacy and the security of their personal information.”[9] This study found that 75 percent of Canadians surveyed agree that “data collected by governments should be owned by the citizens they collect it from.” Likewise, 74 percent of Canadians agree that “data collected by private companies should be owned by the citizens they collect it from.” Interestingly, 46 percent of Canadians agree that “data collected by private companies should be provided to governments so that they can use it to improve public services and benefit Canadians.”[10] However, when asked if data collected by the government should be given freely to the private sector so that they can create products, services, jobs, and economic growth, only 27 percent of Canadians agreed.[11] These findings indicate that Canadians want more control over their personal data, and are more comfortable with it being shared with the government than the private sector.

According to a 2016 survey conducted by the Office of the Privacy Commissioner of Canada, Canadians regard themselves as having good knowledge of their privacy rights, as well as a strong understanding of the impact of new technologies on personal privacy. However, 92 percent of those surveyed reported some level of concern about their privacy, and 74 percent believe they have less protection over their personal data than they did 10 years ago.[12] Nearly half of the Canadians surveyed perceive a lack of control over how their personal data is collected or used by organizations.[13] This includes concern about data collection and use of health and fitness information for non-medical reasons.

While we have a high-level understanding of public perceptions towards privacy, we lack detailed, contextual insight into how people feel when they are made aware of the kind of data that is being collected from them while they access specific applications and services. Are individuals comfortable with being tracked throughout a grocery store, and then sent coupons to use for their commonly-purchased items? Further research into public perceptions of which specific data collection practices are acceptable, and which are not, are required to help inform thoughtful policy.

"In 2019, hackers were able to remotely install surveillance software on the phones and devices of Whatsapp users through a security vulnerability in the messaging app."

Data Activism Organizations + Tools

Alongside the public’s growing concern about data privacy is a lack of knowledge and awareness of how personal data is currently being collected and used, as well as what individuals can do to protect their data. In response to this, a number of data activism efforts seeking to advocate and provide support for personal data protection have emerged in Canada. On the one hand, this consists of organizations that are working to address this concern through research, community building, and educational offerings. This includes, but is not limited to, research organizations such as the Citizen Lab, Open Privacy, and Surveillance in Canada; community-building organizations like Civic Tech Toronto, Civic Tech Vancouver, and Ottawa Civic Tech; and civil society organizations such as Tech Reset Canada, Canadian Civil Liberties Association, and the Digital Justice Lab.

On the other hand, data protection activism encompasses tools that have been developed to protect individuals’ personal data and privacy, and raise awareness of data collection and tracking. This includes tools such as privacy extensions for web browsers, like Privacy Badger, and Virtual Private Networks (VPNs)[14] to ensure user privacy while browsing the internet. Alternatively, individuals can use privacy-focused web browsers, such as Brave, Opera, and DuckDuckGo, which include built in ad-blockers, tracking blockers, and encryption. Brave automatically upgrades to HTTPS when possible to secure, while Opera uses its own VPN to secure users’ privacy while browsing the web. When it comes to communicating, there are a number of widely-used applications that have been developed to ensure secure communication. These include Signal and Whatsapp, which support end-to-end encryption. As of 2017, Whatsapp was reported to have 1.5 billion global users.[15] Signal has yet to report the number of users it has.

While these tools strive to maintain users’ privacy, this is not always guaranteed. In 2019, hackers were able to remotely install surveillance software on the phones and devices of Whatsapp users through a security vulnerability in the messaging app.[16] This software enabled the attacker to read encrypted messages within the app.[17] Activists, journalists, and human rights defenders were likely the most targeted.[18] Once Whatsapp became aware of the attack, they updated their software to remove the flaw through which the attack took place. However, it’s unknown whether the surveillance software that was downloaded to users’ devices has been removed.[19]

This shows that even when users take precautions to protect their personal data, they may be subject to malicious attacks. Stronger policy and legislation surrounding the collection of personal data may help to mitigate these events.

"The Personal Information Protection and Electronic Documents Act (PIPEDA) has come under criticism for the lack of relevance of its consent regime and enforcement model in the digital, data-driven economy."

Current Policy + Legislation

There are a number of legislations and policies in Canada that govern the collection and use of data. However, there has been increasing recognition that some of these documents need to be updated to reflect the current environment. Additionally, Canadians’ ever-changing definitions of what is considered public and private information contribute to the blurry line of privacy in the era of big data. A number of modernization efforts are underway to reform current policy and legislation surrounding personal data collection.

One of the recent changes made by the Ontario Ministry of Health was intended to modernize Ontario’s Personal Health Information Protection Act (PHIPA) to enable patients to access their personal health information more easily, and to make patient health data more broadly available to health-care practitioners, researchers, and innovators as a way to stimulate economic development.[20] These changes have faced criticism from privacy experts, who argue that there is a lack of protections to ensure an individual’s health data is safeguarded. This includes proper measures to anonymize patient data and ensure it does not fall into the wrong hands, such as those of marketers or insurers.[21]

The Personal Information Protection and Electronic Documents Act (PIPEDA) has come under criticism for the lack of relevance of its consent regime and enforcement model in the digital, data-driven economy. “The House Standing Committee on Access to Information, Privacy, and Ethics has also recommended updates to improve control and organizational transparency, in order to strengthen privacy protections in an age where individuals feel a lack of control and understanding.”[22]

At the national level, the Government of Canada has made it a priority to advance Canada’s Digital Charter. A 2019 mandate letter from Prime Minister Justin Trudeau sets out 25 priority areas, including data privacy, and calls upon the Privacy Commissioner to establish a set of online rights.[23] This includes, but is not limited to, the right to erase, withdraw, or remove your personal data; the right to know how your data is used; the ability to withdraw consent to the sale or sharing of personal data; and the right to view and challenge the amount of personal data collected by a company or government entity.[24]

As part of the Data Strategy Road Map, the federal government has acknowledged that it needs to change how it collects, manages, governs, and shares data across sectors, across governments, and with Canadians.[25] Among six recommendations is a call to “[i]mprove and develop overall standards and guidelines that govern how departments access, collect, use, safeguard, and share data, and a clear process for developing and refining these over time”; and to “[c]larify the governance around data to ensure that the Government of Canada manages valuable data assets for the public good.”[26] In June 2019, the federal government announced it had completed major improvements to the Access to Information Act.[27] This included giving the Information Commissioner the ability to make binding orders to government institutions to release information, and ensures relevant government institutions operate by the principle of “open by default” in order to make key information available to individuals without the need to request it. The Access to Information Act undergoes revisions every 5 years. Revisions have yet to address frustrations related to the length of time it takes to receive information once it has been requested, and do not address current exemptions in the law that allow government agencies to withhold or redact information if it pertains to “national security, legal privilege, and business dealings.”[28]

Some efforts to modernize provincial legislation related to personal data are also underway. For example, Ontario’s Digital Strategy consultations, launched in February 2019, seek to gain insight from residents and business owners to inform the strategy’s core principles. The Government of British Columbia also launched Draft Principles for Digital Change for feedback in January 2020, with one of its pillars focused on the management of information and data in accordance with value and user needs.[29]

"...aggregated patient data on a large scale provides doctors and researchers the opportunity to identify new causes of diseases and appropriate treatments."

Balancing Opportunities and Challenges

In many ways, the collection and use of personal data can lead to enormous benefits for individuals and society as a whole. Data can enable governments to make better, more informed decisions, and more effectively design and deliver programs and services.[30] In healthcare, for example, when an individual’s health data is made accessible across multiple health-care practitioners, it can improve care and treatment outcomes for that individual. In addition, aggregated patient data on a large scale provides doctors and researchers with the opportunity to identify new causes of diseases and appropriate treatments. This kind of sharing and knowledge generation is something a paper-based records system did not lend itself towards. Additionally, aggregated, anonymized health data could help private sector start-ups, such as Think Research, develop novel ways to improve healthcare. In the realm of public transit, aggregating passenger data, such as where passengers tapped on/off and the duration of their trip, can be leveraged to plan public transit more effectively, and to optimally serve and identify underserved routes. In the financial sector, big data is enabling banks to detect and mitigate fraud by monitoring transactions in real time, and aggregating data to spot patterns and trends.

Data collection and sharing are extremely important practices in order to leverage the benefits data presents, and to maintain a competitive advantage in today’s increasingly digitally-driven economy. However, organizations face challenges in managing the amount of personal data they collect, store, and use, in a way that ensures individual privacy and safety while enabling innovation and economic growth. Threats can come in the form of data breaches, such as the LifeLabs breach in 2019, which exposed personal information including names, home addresses, dates of birth, email addresses, National Health Card numbers, lab test results, Login IDs, and passwords of LifeLabs customers.[31] Personal data privacy and security threats could go beyond extracting personal information to applying artificial intelligence applications, such as machine learning and image recognition, to identify individuals using only a few data points. Given the sophistication of new techniques, this is particularly concerning. In October 2019, the Mayo Clinic reported that it is possible to identify an individual based on facial reconstruction of their MRI scan.[32] While many organizations have taken initiative to anonymize customer data to enhance individual privacy, it seems these efforts have so far been ineffective. In July 2019, researchers from Imperial College London and University of Louvain showed that an American could be correctly re-identified from any anonymized dataset 81 percent of the time, by combining just three data points: gender, birth date, and postal code.[33] The authors also showed that there is a 99.8 percent chance that an individual living in Massachusetts could be re-identified using 15 demographic attributes.[34]

This has raised calls for more protections and frameworks for managing the challenges associated with the collection and use of personal data that are consistent with national values. [35]

Next Steps

As the use of data-driven decision making becomes more widespread, the importance of data will increase. It is therefore crucial for governments, civic advocacy groups, industry, and individuals to understand the opportunities and challenges created by current personal data practices. As we noted at the beginning of this series, much of the information we have included draws heavily from international sources, primarily those in the U.S. and European contexts. This is due to the lack of research done on data collection practices and related privacy debates in Canada.

To fill this gap, BII+E is proposing to undertake original qualitative research to closely investigate personal data collection practices and perceptions of privacy in Canada. The key questions we seek to answer are:

What patterns exist in the data that is generated about and collected from different people as they go about their daily lives?

How is this data being generated, collected, and used?

What are individuals’ perceptions on data collection and privacy? How aware are participants of the data they are currently sharing?

Is there a difference between how much privacy individuals believe they have and how much data is being collected from them?

The core goal of this project is to generate detailed insights into personal data collection practices in Canada from the perspective of the individual. The findings gained from this research will help to inform government data strategies. For other actors, such as the private sector, we will provide insight into how to better understand and navigate individuals’ privacy concerns. This study will provide empirical insights into the actual perceptions and practices of individuals in relation to personal data collection and privacy in Canada. The findings from this research are expected to help ground policy discussions in the actual experiences and perceptions of residents. Overall, this project will spark a more informed discussion about data ownership, data sharing, privacy, and trust in Canada.

We believe it’s important to advance the conversation across the nation, in an accessible and collaborative way. If you are working in this space, we would love to speak with you.

Technology and policy related to this topic are constantly evolving. If you think we have missed something, see an error, or want to get involved in this project, please contact Sarah Villeneuve.

Housed at Ryerson University, the Brookfield Institute for Innovation + Entrepreneurship prepares Canadians for the opportunities and risks in the shift to an innovation-driven economy. We provide insightful research and pilot ideas that inform thoughtful policy.